\documentclass[titlepage, 12pt, twoside]{article}
\usepackage[utf8]{inputenc}
\usepackage{graphicx}
\usepackage{rotating}
\usepackage{moreverb}
\usepackage{lscape}
\usepackage{multicol}
\usepackage[x11names]{xcolor}
\usepackage{varioref}
\usepackage{longtable}
\usepackage{subfigure}
\usepackage{caption}
\usepackage{fancyheadings}
\usepackage{cite}
\usepackage{newcent}
\usepackage{dcolumn}
\usepackage[a4paper,hmargin=3cm]{geometry}
\usepackage{mathptm}
\usepackage[a4paper,colorlinks,pdftitle={Malware},pdfauthor={rpk},pdfsubject={Malware Analyses}]{hyperref}

\begin{document}

\title{Statistical analysis of EXE and malware files}
\maketitle{}

\section{Statistical Information}
\label{sec:statistical_information}

A fresh and unused Windows~7 install from a Dell Vostr~3750 has been
used as an example of known benign software.

An analyses of the MZ header shows that ``lfanew'', the pointer to the
PE header, points to locations given in table~\ref{tab:lfanew}. The
different values are probably caused by different compilers or options
(maybe some DOS programs?). In about 85\% of the files the value is
between \$d8 and \$f8 and it is divisible by eight.
% (/ (+ 130 353 410 320 128) 1582.0) 0.8476611883691529
%The two very large values belong to the
%files
%``/Windows/Installer/\{EB4DF488-AAEF-406F-A341-CB2AAA315B90\}/MsblIco.Exe''
%and
%``/Windows/Installer/\{290D4DB2-F1B4-4B8E-918D-D71EF29A001B\}/ARPPRODUCTICON.exe''.

\begin{table}[bthp]
  \centering
  \begin{tabular}{cc}
    \$00000000 &	1  \\
    \$00000040 &	22 \\
    \$00000080 &	81 \\
    \$000000b8 &	3  \\
    \$000000c0 &	2  \\
    \$000000c8 &	4  \\
    \$000000d0 &	5  \\
    \$000000d8 &	130\\
    \$000000e0 &	353\\
    \$000000e8 &	410\\
    \$000000f0 &	320\\
    \$000000f8 &	128\\
    \$00000100 &	53 \\
    \$00000108 &	30 \\
    \$00000110 &	14 \\
    \$00000118 &	11 \\
    \$00000120 &	3  \\
    \$00000130 &	1  \\
    \$00000278 &	8  \\
    \$01280004 &	2  \\
    \$05680000 &	1
  \end{tabular}
  \caption{Pointers to the PE header in the MZ header and how many times these were found.}
  \label{tab:lfanew}
\end{table}

Table~\ref{tab:sections_benign} shows the number of sections
which were found in the files. More than 83\% of the benign files have
four or five sections.

\begin{table}
  \centering
  \begin{tabular}{cc}
    2     &      22 \\
    3     &      91 \\
    4     &      608\\
    5     &      711\\
    6     &      121\\
    7     &      6  \\
    8     &      3  \\
    9     &      2  \\
    12    &      1  \\
    22    &      8  \\
    24    &      4  \\
    27    &      1  \\
    825   &      1  \\
    4112  &      1  \\
    11315 &      1  \\
    32125 &      1  \\
  \end{tabular}
  \caption{Number of sections in benign files}
  \label{tab:sections_benign}
\end{table}

Malware files download from http://filex... have a different
distribution which is presented in
table~\ref{tab:sections_malicious}. Here only 36\% of the files have
four or five code sections.

\begin{table}
  \centering
  \begin{tabular}{cc}
    1     &  1  \\
    2     &  138\\
    3     &  463\\
    4     &  358\\
    5     &  283\\
    6     &  100\\
    7     &  42 \\
    8     &  79 \\
    9     &  26 \\
    10    &  14 \\
    11    &  38 \\
    12    &  25 \\
    14    &  39 \\
    15    &  32 \\
    19    &  20 \\
    20    &  8  \\
    21    &  20 \\
    22    &  56 \\
    23    &  9  \\
    24    &  14 \\
    27    &  3  \\
    30    &  1  \\
    36    &  5  \\
    37    &  1  \\
    38    &  1  \\
    100   &  1  \\
    8196  &  1  \\
    8200  &  1  \\
    9872  &  1  \\
    35879 &  1  \\
    36609 &  1
  \end{tabular}
  \caption{Number of sections in malicious files}
  \label{tab:sections_malicious}
\end{table}

\section{Classification}
\label{sec:classification}

Using the vostro3750 data set and the set from filex.jeek.org the
following is done.  We will use a one-class SVM for now.

\begin{enumerate}
\item Run \verb|encapsulateEXE| for all files
\item Run \verb|getSVMData| for each hexena file and save the results
  for vostro3750 files in benign.dat, whereas the results from the
  jeek.org files are saved in malicious.dat.
\item Using libsvm-tools (later on use the bindings from a SVM Haskell
  library) calculate a model.
\item Train the SVM with \verb|svm-train -n 0.08 -g 227 -s 2 benign.dat|
\end{enumerate}

Gives the following results:

\begin{verbatim}
$ svm-train -n .08 -g 227 -s 2 benign.dat
*
optimization finished, #iter = 319
obj = 236.759522, rho = 4.302856
nSV = 156, nBSV = 96

$ svm-predict benign.dat benign.dat.model out
Accuracy = 91.8953% (1440/1567) (classification)

$ svm-predict malicious.dat benign.dat.model out
Accuracy = 69.7474% (1215/1742) (classification)

$ #Other parameter give something like 80% classification
   for benign and 80% for malicious...
\end{verbatim}

Not good... this needs some improvement...

\end{document}

